Logstash Date parsing (with AM/PM data) for YYYY-MM-dd HH:mm:ss,SSS format

abinashkd · June 17, 2019, 2:41pm

Hi,
I am new to logstash. With some R&D I have written a grok, but don't weather it validates or not.

Input:
####<Jun 17, 2019 1:33:20 PM GMT>

Output:
I need the date in the format of 2019-06-17T13:33:20.000Z in ES.
Basically if the timestamp is in PM format then add 12 hrs. Like above time was 1PM , and I need the o/p as 13.

My Prog:

grok {
match => { "message" => "####<%{MONTH:month} %{MONTHDAY:day}, %{YEAR:year} %{TIME:time} %{DATA:ampm} %{DATA:gmt}> %{GREEDYDATA:errormessage}" }
}
if[ampm == "PM"]{
time=time+12
}
mutate {
add_field => { "eventTimestamp" => "%{year}-%{month}-%{day} %{time}" }
}
date {
match => ["eventTimestamp", "YYYY-MM-dd HH:mm:ss,SSS"]
timezone => "UTC"
target => "eventTimestamp"
}

Question: So will this block would suffice ""if[ampm == "PM"]"".

Thanks in advance for any kind of help.

Badger · June 17, 2019, 2:57pm

A date filter will parse this provided you use hh for the hour

grok { match => { "message" => "^####<%{DATA:[@metadata][ts]}>$" } }
date { match => [ "[@metadata][ts]", "MMM dd, YYYY hh:mm:ss a ZZZ" ] }

In your configuration "time = time + 12" will not do what you want.

Note that dd and hh will both match either one or two digits.

abinashkd · June 20, 2019, 9:49am

When I start the log-stash it is giving JSON parser failure for this pattern.

Badger · June 20, 2019, 11:09am

There is no mention of JSON in this thread, so there is no way for us to understand why that might happen unless you show us the configuration and the data.

system · July 18, 2019, 11:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.